Division of Information Technology

Cyber Security: Don’t Go It Alone

1. Know your enemy, know yourself.

Anyone can use the internet – it’s very different from, say, driving a car, which requires authorization from a governing body, familiarity with the rules of the road, and standard automotive safety procedures. A lot of security issues occur because of general lack of knowledge. We hope you use this guide wisely, to protect yourself, your data, and make the internet a safer place for everyone.

It’s a dangerous world out there. The virtual world holds information about everyone and everything it seems, and where there’s information, there’s people attempting to profit from it, by any means necessary.

You may think “Why would I be a target? How is my information worth so much?” Consider this – in addition to bank account and financial information, every aspect of what you do online could be considered valuable. For example, if you attend a university and you have a digital transcript, with your name, password, email address, contact information, school information, subjects, and grades – that information would be valuable to marketing companies to add you to mailing lists without your consent. Identity thieves could use your information to spoof their way into financial transactions using your credentials and negatively affect your credit.

If you are a college student, don’t have much credit history, or are a parent, you should be especially aware of cyber security. The most valuable information hackers can get is PII (Personally Identifiable Information) from someone who has no or very little credit history, since there’s little data that would bring up red flags to lenders or creditors.

If you’re using a computer or smartphone that has malware, a keylogger might be recording your keystrokes and web sites, sending that information back to hackers. If you have a Trojan virus, hackers could be accessing your files directly or launching programs on your computer directing it to spam others. If you open a phishing email, a virus could download that re-sends out that malicious email to everyone on your contacts list.

Lists of passwords and IDs can be bought and sold on the black market, and you may not ever find out about this until you want to buy a house, or take out a loan, and the bank turns you down. When you use a credit or debit card to purchase goods and services, companies keep a digital record of your purchase, and if their security has been compromised, that information may be available to anyone who wants to buy it.

So, should you start storing money under the mattress, shut down the computer permanently, and withdraw from society? Of course not  – but you should take active steps to make sure you are aware of what information you’re giving out, where, be aware of signs that you may have been compromised, and have a plan on what to do if you are compromised.

2. Mind your PII!

Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII. This includes your name, address, date of birth, social security number, user ID, password, or even information about your family or life. Basically, this information is what’s most valuable to criminals, because it sets you apart from everyone else in the world.

Don’t give out PII to just anyone who asks – you will need to make a determination if it is for a legitimate or malicious purpose. For example, when you want to take money out of an ATM, you put in your credit card, and you are asked for your PIN number – that PIN number is PII, and it is being given for a legitimate purpose. If you call a doctor’s office to make an appointment and they ask for your date of birth and address – that’s a legitimate reason to give PII. If you receive a call from a company and they ask for your full social security number – that is NOT a legitimate purpose to give PII – treat this and similar situations with caution.

Valuable PII would be:

  • Social security number
  • Driver’s license/state ID number
  • Date of Birth
  • Full name
  • Home address
  • Home phone number
  • School ID number
  • Specific medical or financial information, such as bank account/credit card information

If you are asked to give PII, ask yourself first “can I trust the other person with this information?” and “will this information be kept secure?” This doesn’t just apply to in-person exchanges, but also includes information expressed over the telephone, or anything you type in an email or type in online. Make sure to mind your PII!

3. Hold that USB!

Just like in the real world, where coughing on another person could give them a nasty head cold, computer viruses and other malware can be passed on by physical contact. This doesn’t mean touching your screen to an infected iPad will give it a Trojan though – this type of exchange can occur when you plug in an infected USB, CD, Smartphone, or other media device to your machine.

While read-only Optical media like CDs and DVDs usually have verified contents on them, read/write devices such as USB plugs (and the devices that can plug into them) may act as an unintentional spreading ground for malware. There’s a lot of malware today that scans for input devices, and when they are detected, copies itself to the device – and then when that device is plugged into another machine, infects the new machine. Even completely new USB storage devices have been found to occasionally have malware loaded into them.

So, if you have a virus on your phone, don’t plug it into your computer to charge (and vice versa) – even if the virus is not compatible with that device’s operating system, it’s still there, and can be transferred to other devices that use it.

The best practice is to make sure to include media devices when you’re running virus and malware scans, and to make sure they’re clean before using them.

4. Be smart about smartphones!

Years ago, cell phones couldn’t really do much besides make calls or send texts. Now, almost everyone has a smartphone, and while technology is rapidly increasing the amount of new features they can use, and people are adding more and more data to their mobile devices, hackers are developing more sophisticated malware targeting Smartphone operating systems.

If you get emails or use the internet with your smartphone, be mindful to use the same level of security as if you were on a computer – don’t open suspicious links or download suspicious applications. Smartphone apps can be Trojans or contain malware as well – make sure when you download an app it is verified and trusted by a recognized publisher – make sure you check out the ratings and reviews. If you see a popular app you want to get that has low ratings or is free (but should be for pay) – avoid it!

On your smartphone, also be aware of the networks you’re connecting to and your connection settings. Make sure you only connect to secure, encrypted networks, and be wary of connecting to public Wi-Fi. A lot of smartphones and mobile devices have a setting that allows the phone to act as a modem – make sure if you have this setting, it is only enabled to accept devices that you allow, and set a password.

5. The high-wireless act

Getting internet no longer requires you to plug into a wall – you have the power of freedom. But with great power comes great responsibility. Wireless networks are a prime target for hackers, especially in urban areas which encounter a lot of foot traffic. If you are broadcasting a wireless signal from your home router or mobile device, make sure that it’s encrypted, and use a strong password. If you are attempting to connect to a wireless network, make sure you connect to a secure network as well – hackers can and will set up networks and steal data from your wireless devices when you connect.

In addition to stealing information from you, having an unsecured network could lead to data leeching, which may also be used for malicious purposes. If you are running an unsecured wireless network in your house, someone with malicious intentions could connect to your network, and download illegal software or conduct criminal activities – and when authorities trace the activities back to the source, it’ll appear as if it came from you, since they were on your network!

6. Social media – friend or foe?

Social media and chat networks are awesome. You can friend people that you forgot about years ago, find old classmates, and make new friends across the globe. However, amidst all the pictures, sharing stories, and posts about cats, if you don’t protect your PII, there’s a danger lurking. A popular technique used by hackers is to set up spoofed accounts of people on social networks such as Facebook, Skype and Linkedin, and attempting to friend you or have you “add” them. Once you do this, you’re giving them access to all the PII you’ve created on that social network – names, photos, family information, and more.

Be careful about who you friend – they may become your worst enemy!

7. Monitor your monitor

While there’s a lot of malicious software out there, there’s also a lot of valuable tools and resources to refer to and use for your own security purposes. Many internet browsers now are designed to automatically update on new releases, and patches for security loopholes are often documented and resolved.

Even the most secure websites can be compromised and are, every day. Make sure you go out there with the proper equipment.

  • Use up-to-date versions of your browser – if it prompts you to install the update, install it (after ensuring it is from the verified publisher).
  • On windows Vista or later Windows operating systems, you will receive alerts of a program attempts to change settings on your computer. Pay attention to this, and make sure to authorize only changes you know about.
  • Make sure you have an antivirus installed that also has anti-malware: there are many antivirus companies that provide excellent service. Some are free (but have paid features), and some are subscription based. There are several free antivirus and anti-malware programs which are very highly rated – including Panda, Bitdefender, MalwareBytes, Ad-Aware, Avast, and AVG have free versions just to name a few. With a paid or subscription upgrade, your protective software can provide you better passive protection, active protection when you are browsing, and most offer some level of immediate customer support and resolution handling. Kaspersky, Macafee and Norton are some of the big names in paid virus protection. Having a computer without an antivirus program is like having a house without a lock!
  • Wait for a web page to load before clicking around. Sometimes, slow-loading web pages have hidden data and popups that are activated by clicking in certain areas.
  • Look before you click – some web pages that have beneficial content have ads that look like download buttons or links to the software you want. Make sure to read everything carefully before clicking!
  • Avoid opening suspicious emails – if you see an email that is not from someone you know, or looks sort of/kind of like it came from a company or bank, and it’s asking you to follow a link or download a file, treat this with caution, as it may be a phishing attempt. For the record, most banks and government agencies do NOT ask for PII via email – so if you see this, be alert.
  • Watch out for email scams as well – emails promising you money or favors in exchange of sharing a bank account or providing a small initial deposit. Don’t reply, and make sure they are flagged as junk mail or spam to your internet provider!
  • If you are on a shopping website where you are asked to provide credit card or banking information, or a website that requires you to submit PII such as your social security number, make sure the site is using SSL (Secure socket layer), make sure the website is using Secure HTTP (HTTPS) and check the site’s certificate to make sure it’s secure. You can usually do this by clicking on an area to the left of the URL bar. If there’s an issue with the sites’ certificate or it can’t be authenticated, stay away!
  • In addition to these practices, you should also make sure to prevent against physical data compromising by:
  • Putting a password on your computer, so that only you (or another authorized user) can access it
  • If you have administrative access to your computer, do not use the administrative login unless you absolutely need to – use a regular, user-level login instead. This ensures that if your account is somehow compromised, the malware will not be able to affect administrative settings of your computer.
  • Lock your screen when not using it – not with a physical lock of course, but by enabling the setting that prevents someone from accessing it while you’re away. Windows 8 and later operating systems, and many handled devices offer “touch-passwords” or “picture passwords” which require you to set up your password as a gesture or set of pictures rather than a letter/number password. This provides much greater security.
  • Don’t leave your mobile device unattended or alone in a car! Thieves will break into cars just to steal phones – treat your phone, laptop or tablet as if it were a wallet or purse – don’t let it sit out in plain sight.

8. Uh-oh…what do I do now?

So you think you have malware on your machine. Maybe you clicked a phishing link by mistake, or went to a new website that had strange popups, and now your computer is slow, programs are crashing, odd new software is appearing, or you can’t connect to the internet anymore. Don’t worry, happens to the best of us. There’s a few important things you need to do:

  1. DO take a deep breath, calm down, and don’t panic. Stress causes irrational actions, and you could end up doing something that causes further damage.
  2. DO NOT turn the computer off /attempt to restart it. A large portion of malware is designed so that the user thinks it’s a “normal computer error” that can be fixed when the system restarts – when in fact, restarting triggers the malware’s code to edit settings that can only be modified during this time, like the registry – further throttling your computer’s performance.
  3. DO NOT run unnecessary programs – if you think you’re on a compromised computer, don’t use it to log into your bank and check your balance, or try to change your passwords yet, there’s a good chance that information will be recorded.
  4. DO Contact your ITS department right away (give them a call) and tell them the situation. If they ask for information about your computer, what programs you are using, and what websites you went to, let them know! They are professional and will do what they can to both mitigate the system, and restore your computer to working order.

9. Common terms and their explanations:

‘Malware’ is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software.

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. A phishing attempt could be an email that appears to be coming from a reputable source (say, a cousin, or a teacher, or a company) that has a link or attachment in it that usually discreetly downloads a virus or a keylogger into your system. Phishing emails usually have an “urgent” tone, stating that you need to open the attachment or follow the link immediately, and more often than not, contain grammatical miscues. Phishing can also come via phone, by people pretending to be from the government, a company, or IT – if you get a call that asks you for PII, make sure you can trust the caller. If you are unsure if you are being Phished, make sure you contact IT services right away!

A Trojan horse, or Trojan, in computing is any malicious computer program which misrepresents itself as useful, routine, or interesting in order to persuade a victim to install it. These could be installed on your machine by other malware or compromised websites. A lot of Trojans attempt to pass themselves off as games, or security software, and while they slow your computer down, prompt you to run the “security” software, which leads to further damage.  Trojans usually do one (or more) of the following:

  • Install malware on your computer
  • Open a “backdoor” – basically letting other compromised machines connect and access your computer’s data
  • Slow down your computer or crash files/programs
  • To avoid Trojans, make sure you have an updated and active antivirus program; don’t click on Phishing links; avoid websites that have been compromised, and make sure you have the latest antivirus security installed on your machine.

Adware, or advertising-supported software, is any software package that automatically renders advertisements in order to generate revenue for its author. The advertisements may be in the user interface of the software or on a screen presented to the user during the installation process. While adware is not necessarily malicious, it is intrusive and can be used to collect data and PII if you are not careful. This can generally be found in “free”* software downloads.

*remember, nothing is ever truly free – there’s always a price to be paid!

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. While there are several legal uses for keyloggers, their malicious use is prevalent and can capture your passwords and entered information on web forms.

A computer virus is a malware program that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be “infected”. Viruses often perform some type of harmful activity on infected hosts, such as stealing hard disk space or CPU time, accessing private information, corrupting data, displaying political or humorous messages on the user’s screen, spamming their contacts, logging their keystrokes, or even rendering the computer useless. However, not all viruses carry a destructive payload or attempt to hide themselves—the defining characteristic of viruses is that they are self-replicating computer programs which install themselves without user consent.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) while at the same time masking its existence or the existence of other software. These are typically very difficult to get rid of, as they consist of multiple components.

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. Some ransomware encrypts files (called Cryptolocker).

DDoS is a type of attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Denial of Service (DoS) attack. This slows down or can halt bandwidth completely.

A Compromised Computer is defined as any computing resource whose confidentiality, integrity or availability has been adversely impacted, either intentionally or unintentionally.

10. Bank on these tips

  • Don’t keep your PIN number, Bank account number, credit card information, or PII such as social security number in your wallet. If you lose it, you may lose more than the money inside!
  • Know about and Monitor your credit. You can subscribe to Experian or Transunion, which are credit reporting agencies. Another excellent resource is creditkarma.com – this is free and provides your credit scores and other factors that influence your credit, like late payments, or inquiries.
  • Make sure your bank has fraud protection on your account, and sign up for monitoring if it’s available – if you lose your credit card, or your information gets stolen from a company, you will be alerted and can prevent further damage to your credit.
  • Services which constantly monitor your credit and sensitive information, such as LifeLock, are becoming more popular and are a great tool, in both prevention and reconciliation of a data compromise. They provide compensation in case your data or credit is compromised and offer support in reestablishing credit.
  • Don’t throw out receipts or leave them laying around ATMs or Banks – rip them up before throwing them out.
  • Shred sensitive financial, medical, or other paper information that contains PII before you discard it – this includes junk mail!

11. Passwords – Common sense saves cents (and dollars!)

  • Use a strong password that contains at LEAST the minimum standards provided on all your devices, wireless connections, and accounts. Make sure this password includes both letters, numbers and special characters; do not use a password that includes other PII, or is easy to guess.
  • Do not use the same password for multiple accounts; and change your passwords every month.  This may seem a bit extreme, but it’s the best security practice. Think about it this way – Your PII is like a house, with all your stuff inside. Billions of “people” will pass by your “house” (and all the other ones out there) every day, most harmlessly on their way somewhere else, but every day, people will try to break into your house by trying to smash the windows, or open the door, or try to get you to let them in. Your door’s lock and key is your password. A “Brute force” attack is when a hacker, in the above example, will stand on your doorstep and take out millions of keys to try them on your door – eventually, if your password’s not unique and secure enough, one of those keys will work, and they’ll gain access. That’s where having a strong, unique, and changing password will come in handy.
  • And of course, don’t write down passwords and leave them lying around.

12. Resources

These resources are great for providing information on cyber-security, offer resources and help, and give a good picture of what to be aware of:

Google’s Digital Attack Map: https://www.digitalattackmap.com/
A project that emerged from Google Ideas in 2013, the Digital Attack Map is essentially a clever front end placed on global DDoS attack data fed to it by Arbor Networks’ Atlas monitoring nodes on the Internet. Then as now the strength of the concept is that it offers data on DDoS attack trends in real time; a limitation is that significant attacks are often had to spot amidst the flood of other packets.

Bleeping Computer: https://www.bleepingcomputer.com/
One of the best help resources out there for ordinary computer users coping with malware infection, particularly recent infection types such as ransomware, screen lockers and aggressive adware. Excellent range of technical ‘how to’ features and a good place to hear about the latest threats and security gossip before security software firms have mentioned anything. Predominantly Windows but covers all platforms.

US-CERT: https://www.us-cert.gov/
After years when nothing changed on the homepage, the site now covers recent vulnerabilities and attacks in modest depth. Offers weekly vulnerability summaries.

Common Vulnerabilities and Exposures (CVE): https://cve.mitre.org/
The Common Vulnerabilities and Exposures (CVE) database is the definitive public software flaw repository (searched through the US National Vulnerability Database), maintained by Mitre Corporation as a system for identifying software flaws. CVEs are the way to find and study the background to any vulnerability and are used across the industry for that purpose. Flaws are also scored for severity using the using the Common Vulnerability Scoring System (CVSS).

Microsoft Malware Protection Center: https://www.microsoft.com/security/portal/mmpc/default.aspx
Devoted to Windows (of course) but still an increasingly useful resource for troubleshooting a range of security issues. Explains the inner depths of Microsoft’s evolving approach to security better than any of the other public sites and offers a jumping off point to the firm’s full gamut of security-oriented blogs and tools.

Cloud Security Alliance (CSA): https://cloudsecurityalliance.org/
Not a security website in the conventional sense but the first place to visit to understand the considerable complexities of the new and sometimes unfamiliar model of computing. Although partly aimed at its vendor members, there is plenty on this site for anyone looking for technological context and explainers.

Secunia: https://secunia.com/
A commercial firm selling data but Denmark-based Secunia offers excellent retrospective reports analysing the top software flaws reported using its free-to-download PSI tool. Also extends the raw data fed into public systems such as CVE.org with useful statistics on the software reporting the most flaws and the most serious zero days. A great sanity check. Secunia was acquired by Flexera Software in September 2015.

Breach Level Index (BLI): https://breachlevelindex.com/
Now under the auspices of Gemalto (which bought security firm SafeNet in early 2015), the BLI is currently the best public, near real-time database of reported data breach across the world. Allows researchers to search for breaches according to country, sector, breach type, organisations and also applies its own risk score of severity.

SecureMac: https://www.securemac.com/
Not that long ago there wouldn’t have been enough to talk about and little user interest. But as a previous Techworld slideshow attests, the Apple world is not firmly in the sight of hackers and criminals. This is now essential reading for anyone with an Apple deice of any kind who no longer wants to take threats for granted. The list of threats is now surprisingly busy.

SecTools: https://sectools.org/
Notable for its listing of the best free security tools, always a handy point of reference when considering paying money for software. Updated often and pretty comprehensive, also lists tools by use as well as popularity and features user reviews – useful background if you still think TrueCrypt is kosher.

VirusTotal: https://www.virustotal.com/
Encountered an unusual or suspicious file? The VirusTotal industry website is the best place to submit it to a clutch of anti-virus engines to see if it checks out or has been marked bad. Crowdsourcing at its best and can also be used against suspicious URLs. Often used a point of reference for the time it takes engines and specific vendors to add malware signatures to their products.